From patchwork Mon Nov 21 19:09:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 83290 Delivered-To: patch@linaro.org Received: by 10.140.97.165 with SMTP id m34csp1713926qge; Mon, 21 Nov 2016 11:10:13 -0800 (PST) X-Received: by 10.129.86.139 with SMTP id k133mr15595935ywb.30.1479755412934; Mon, 21 Nov 2016 11:10:12 -0800 (PST) Return-Path: Received: from sourceware.org (server1.sourceware.org. [209.132.180.131]) by mx.google.com with ESMTPS id y205si5094896ywa.432.2016.11.21.11.10.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 Nov 2016 11:10:12 -0800 (PST) Received-SPF: pass (google.com: domain of libc-alpha-return-74994-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) client-ip=209.132.180.131; Authentication-Results: mx.google.com; dkim=pass header.i=@sourceware.org; spf=pass (google.com: domain of libc-alpha-return-74994-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=libc-alpha-return-74994-patch=linaro.org@sourceware.org; dmarc=fail (p=NONE dis=NONE) header.from=linaro.org DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id; q=dns; s= default; b=jHE4QK0FPFFJZe0UakPjyc1VrFVRq4sWz9KERpuhAdq5b7Nutabtj +TQ/O5H8EmsnUBSz/W8Q9/N6q7tiAb609dVmLnLtD1KeO6UNEep6yRDc2sPTd86x aEeOJWDM8tFi72rk/f5or5twGXHcImweobJ8h2G2jDrTHQOXcvEUCM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id; s=default; bh=1z+hIsrzAlXtXm6+2Ct977mylsQ=; b=kUCufPjZ4dE994mmvsM8W2iPWjPH GknxAyd95GCUx0lbSfF8JdgaD2BO0kaZxTi96xq/3yZemgNkhNVVejRSWXlvxu4y DcnoYDwkRq+il81SvgrEphqC6MqSYA7IRLqdYfpVB+4dRCZbGOG/m/Ey8/88yhHk Z1yItcjX5wFuJW4= Received: (qmail 51195 invoked by alias); 21 Nov 2016 19:09:56 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 51179 invoked by uid 89); 21 Nov 2016 19:09:55 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM, SPF_PASS autolearn=no version=3.3.2 spammy= X-HELO: mail-ua0-f174.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id; bh=p+KIWU7b6XlHgfXI2mMNrmsoigxqbIGadOP3ywY4k9Q=; b=MxagNQCXfTxBES5niENl9OwmLR7CVLCaP9lh8TOlHnEJgDMLsdGK4Iku2HasQnA9Sw gwsbRaJnQXjdmdSbADQGcihJL5iDMj+mKs8H3xtDViFXFcsN3y++oLQWqfwihJnly3im UOyh8za5k5Xtau6WwOxX/jEmQoUlx9R8iMmUUEx6XWswWT7saQzbDcVkCC+GuxmDDhcA 59mXKLYkKOjqYLF+pHFVAkDRkJSnJ7ig1vEDqtdUufGjaVW/BxQY7M9AGQ9Xts6zBKBC Zc96aiPNUdFD0gXD3OgX91oRi5jAADkLpSMgGP1tp1OTfQUoPgpWFCoxBNd47NAOz82V x77g== X-Gm-Message-State: AKaTC01dXrY1pwS5+9oyD9M0fsSqSviRWlafOnQMjjkC9C1EAL4Wd1NvQX3861h8tI/b6VyN X-Received: by 10.176.3.143 with SMTP id 15mr6634258uau.10.1479755383780; Mon, 21 Nov 2016 11:09:43 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v2] Fix writes past the allocated array bounds in execvpe (BZ#20847) Date: Mon, 21 Nov 2016 17:09:37 -0200 Message-Id: <1479755377-12442-1-git-send-email-adhemerval.zanella@linaro.org> Changes from previous version: - Fix memcpy write out the bound in maybe_script_execute. -- This patch fixes an invalid write out or stack allocated buffer in 2 places at execvpe implementation: 1. On 'maybe_script_execute' function where it allocates the new argument list and it does not account that a minimum of argc plus 3 elements (default shell path, script name, arguments, and ending null pointer) should be considered. The straightforward fix is just to take account of the correct list size. 2. On '__execvpe' where the executable file name lenght may not account for ending '\0' and thus subsequent path creation may write past array bounds because it requires to add the terminating null. The fix is to change how to calculate the executable name size to add the final '\0' and adjust the rest of the code accordingly. As described in GCC bug report 78433 [1], these issues were masked off by GCC because it allocated several bytes more than necessary so that many off-by-one bugs went unnoticed. Checked on x86_64 with a latest GCC (7.0.0 20161121) with -O3 on CFLAGS. [BZ #20847] * posix/execvpe.c (maybe_script_execute): Remove write past allocated array bounds. (__execvpe): Likewise. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78433 --- ChangeLog | 7 +++++++ posix/execvpe.c | 19 ++++++++++++------- 2 files changed, 19 insertions(+), 7 deletions(-) -- 2.7.4 diff --git a/posix/execvpe.c b/posix/execvpe.c index d933f9c..96a12bf5 100644 --- a/posix/execvpe.c +++ b/posix/execvpe.c @@ -41,19 +41,20 @@ maybe_script_execute (const char *file, char *const argv[], char *const envp[]) ptrdiff_t argc = 0; while (argv[argc++] != NULL) { - if (argc == INT_MAX - 1) + if (argc == INT_MAX - 2) { errno = E2BIG; return; } } - /* Construct an argument list for the shell. */ - char *new_argv[argc + 1]; + /* Construct an argument list for the shell. It will contain at minimum 3 + arguments (current shell, script, and an ending NULL. */ + char *new_argv[argc + 2]; new_argv[0] = (char *) _PATH_BSHELL; new_argv[1] = (char *) file; if (argc > 1) - memcpy (new_argv + 2, argv + 1, argc * sizeof(char *)); + memcpy (new_argv + 2, argv + 1, (argc - 1) * sizeof(char *)); else new_argv[2] = NULL; @@ -91,10 +92,11 @@ __execvpe (const char *file, char *const argv[], char *const envp[]) /* Although GLIBC does not enforce NAME_MAX, we set it as the maximum size to avoid unbounded stack allocation. Same applies for PATH_MAX. */ - size_t file_len = __strnlen (file, NAME_MAX + 1); + size_t file_len = __strnlen (file, NAME_MAX) + 1; size_t path_len = __strnlen (path, PATH_MAX - 1) + 1; - if ((file_len > NAME_MAX) + /* NAME_MAX does not include the terminating null character. */ + if (((file_len-1) > NAME_MAX) || !__libc_alloca_cutoff (path_len + file_len + 1)) { errno = ENAMETOOLONG; @@ -103,6 +105,9 @@ __execvpe (const char *file, char *const argv[], char *const envp[]) const char *subp; bool got_eacces = false; + /* The resulting string maximum size would be potentially a entry + in PATH plus '/' (path_len + 1) and then the the resulting file name + plus '\0' (file_len since it already accounts for the '\0'). */ char buffer[path_len + file_len + 1]; for (const char *p = path; ; p = subp) { @@ -123,7 +128,7 @@ __execvpe (const char *file, char *const argv[], char *const envp[]) execute. */ char *pend = mempcpy (buffer, p, subp - p); *pend = '/'; - memcpy (pend + (p < subp), file, file_len + 1); + memcpy (pend + (p < subp), file, file_len); __execve (buffer, argv, envp);